Mozilla Accelerates Phasing Out SHA-1 Certificates

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST.

It is an algorithm Internet users depended on for most of the life of the Internet. But now, SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.

In a recent blog post, Mozilla explains its plan to accelerate the phase-out of the SHA-1 certificate.

“In early 2017, Firefox will show an overridable ‘Untrusted Connection’ error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.”

From January this year, CA will no longer allow the issuance of SHA-1 certificate. Mozilla’s telemetry data shows that SHA-1 usage has been reduced from 3.5% to 0.8%. This policy will be available as an option to Firefox 51 when it is released in January. Mozilla urges SHA-1 users to migrate as quickly as possible.